Red Hat SummitChapter 4. IdM API example scenarios
Use these code examples as templates to build your own automation scripts for managing users, groups, and access control. These example demonstrate common scenarios for using IdM API commands.
4.1. Managing users with IdM API commands
You can manage IdM users programmatically with the IdM API commands. Automating user management tasks reduces manual effort and ensures consistent user provisioning across your environment.
- Creating an IdM user
In this example, you create an IdM user with the username
exampleuserand the supported userone-time password (OTP)authentication.api.Command.user_add("exampleuser", givenname="Example", sn="User", ipauserauthtype="otp")- Showing an IdM user information
In this example, you display all available information about the IdM user
exampleuser.api.Command.user_show("exampleuser", all=True)- Modifying an IdM user
In this example, you change the e-mail address for the IdM user
exampleuser.api.Command.user_mod("exampleuser", mail="exampleuser@example.org")- Searching for an IdM user
In this example, you search for all IdM users that match
exampleuserin the IdM groupadmins.api.Command.user_find(criteria="exampleuser", in_group="admins")- Deleting an IdM user
In this example, you delete the IdM user
exampleuser.api.Command.user_del("exampleuser")To restore the user in future, use the
preserveoption. If you use this option, you can restore the user with theuser_undelcommand.- Adding and removing a certificate for an IdM user
You can add or remove
Base64 encodedcertificate for a user with theuser_add_certanduser_remove_certcommands. In this example, you add a certificate for a userexampleuser.args = ["exampleuser"] kw = { "usercertificate": """ MIICYzCCAcygAwIBAgIBADANBgkqhkiG9w0BAQUFADAuMQswCQYDVQQGEwJVUzEMMAoGA1UEC hMDSUJNMREwDwYDVQQLEwhMb2NhbCBDQTAeFw05OTEyMjIwNTAwMDBaFw0wMDEyMjMwNDU5NT laMC4xCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNJQk0xETAPBgNVBAsTCExvY2FsIENBMIGfMA0 GCSqGSIb3DQEBATOPA4GNADCBiQKBgQD2bZEo7xGaX2/0GHkrNFZvlxBou9v1Jmt/PDiTMPve 8r9FeJAQ0QdvFST/0JPQYD20rH0bimdDLgNdNynmyRoS2S/IInfpmf69iyc2G0TPyRvmHIiOZ bdCd+YBHQi1adkj17NDcWj6S14tVurFX73zx0sNoMS79q3tuXKrDsxeuwIDAQABo4GQMIGNME sGCVUdDwGG+EIBDQQ+EzxHZW5lcmF0ZWQgYnkgdGhlIFNlY3VyZVdheSBTZWN1cml0eSBTZXJ 2ZXIgZm9yIE9TLzM5MCAoUkFDRikwDgYDVR0PAQH/BAQDAgAGMA8GA1UdEwEB/wQFMAMBAf8w HQYDVR0OBBYEFJ3+ocRyCTJw067dLSwr/nalx6YMMA0GCSqGSIb3DQEBBQUAA4GBAMaQzt+za j1GU77yzlr8iiMBXgdQrwsZZWJo5exnAucJAEYQZmOfyLiMD6oYq+ZnfvM0n8G/Y79q8nhwvu xpYOnRSAXFp6xSkrIOeZtJMY1h00LKp/JX3Ng1svZ2agE126JHsQ0bhzN5TKsYfbwfTwfjdWA Gy6Vf1nYi/rO+ryMO """ } api.Command.user_add_cert(*args, **kw)- Enabling and disabling an IdM user
You can enable or disable an IdM user with the
user_enableanduser_disablecommands. In this example, you disable the IdM userexampleuser.api.Command.user_disable("exampleuser")
4.2. Managing groups with IdM API commands
You can manage IdM groups programmatically with the IdM API commands. Automating group management helps you efficiently organize users and control access to resources.
- Creating an IdM group
In this example, you create an IdM group
developers, with a specified Group ID number.api.Command.group_add("developers", gidnumber=500, description="Developers")- Adding a user as a member to an IdM group
In this example, you add the
adminuser to thedevelopersgroup.api.Command.group_add_member("developers", user="admin")- Adding a service as a member to an IdM group
In this example, you add the
HTTP/server.ipa.testservice to thedevelopersgroup.api.Command.group_add_member("developers", service="HTTP/server.ipa.test")- Adding a group as a subgroup to an IdM group
In this example, you add another group,
admins, to thedevelopersgroup.api.Command.group_add_member("developers", group="admins")- Adding IdM group managers
In this example, you add the
bobuser as a group manager for thedevelopersgroup.api.Command.group_add_member_manager("developers", user="bob")- Finding an IdM group
You can search for an IdM group using various parameters. In this example, you find all groups that the user
bobis managing.api.Command.group_find(membermanager_user="bob")- Displaying IdM group information
In this example, you display group information about the
developersgroup, without the members list.api.Command.group_show("developers", no_members=True)- Modifying an IdM group
In this example, you convert a non-POSIX group
testgroupto a POSIX group.api.Command.group_mod("testgroup", posix=True)- Removing members from an IdM group
In this example, you remove the
adminuser from thedevelopersgroup.api.Command.group_remove_member("developers", user="admin")- Removing IdM group managers
In this example, you remove the user
bobas a manager from thedevelopersgroup.api.Command.group_remove_member_manager("developers", user="bob")- Removing an IdM group
In this example, you remove the
developersgroup.api.Command.group_del("developers")
4.3. Managing access control with IdM API commands
You can manage IdM access control programmatically with the IdM API commands. Automating permissions, privileges, and roles ensures consistent security policies and simplifies delegation of administrative tasks.
- Adding a permission for creating users
In this example, you add a permission for creating users.
api.Command.permission_add("Create users", ipapermright='add', type='user')- Adding a permission for managing group membership
In this example, you add a permission for adding users to groups.
api.Command.permission_add("Manage group membership", ipapermright='write', type='group', attrs="member")- Adding a privilege for the user creation process
In this example, you add a privilege for creating users, adding them to groups, and managing user certificates.
api.Command.permission_add("Create users", ipapermright='add', type='user') api.Command.permission_add("Manage group membership", ipapermright='write', type='group', attrs="member") api.Command.permission_add("Manage User certificates", ipapermright='write', type='user', attrs='usercertificate') api.Command.privilege_add("User creation") api.Command.privilege_add_permission("User creation", permission="Create users") api.Command.privilege_add_permission("User creation", permission="Manage group membership") api.Command.privilege_add_permission("User creation", permission="Manage User certificates")- Adding a role using a privilege
In this example, you add a role using the privilege created in the previous example.
api.Command.role_add("usermanager", description="Users manager") api.Command.role_add_privilege("usermanager", privilege="User creation")- Assigning a role to a user
In this example, you assign the
usermanagerrole to the userbob.api.Command.role_add_member("usermanager", user="bob")- Assigning a role to a group
In this example, you assign the
usermanagerrole to themanagersgroup.api.Command.role_add_member("usermanager", group="managers")
4.4. Managing sudo rules with IdM API commands
You can manage sudo rules programmatically with the IdM API commands. Automating sudo rule management helps you control privilege escalation and enforce consistent security policies across your hosts.
- Creating a sudo rule
In this example, you create a sudo rule that holds time change commands.
api.Command.sudorule_add("timechange")- Creating a sudo command
In this example, you create the
datesudo command.api.Command.sudocmd_add("/usr/bin/date")- Attaching a sudo command to a sudo rule
In this example, you attach the
datesudo command to thetimechangesudo rule.api.Command.sudorule_add_allow_command("timechange", sudocmd="/usr/bin/date")- Creating and attaching groups of sudo commands
In this example, you create multiple sudo commands, add them to a newly created
timecmdssudo command group, and attach the group to thetimechangesudo rule.api.Command.sudocmd_add("/usr/bin/date") api.Command.sudocmd_add("/usr/bin/timedatectl") api.Command.sudocmd_add("/usr/sbin/hwclock") api.Command.sudocmdgroup_add("timecmds") api.Command.sudocmdgroup_add_member("timecmds", sudocmd="/usr/bin/date") api.Command.sudocmdgroup_add_member("timecmds", sudocmd="/usr/bin/timedatectl") api.Command.sudocmdgroup_add_member("timecmds", sudocmd="/usr/sbin/hwclock") api.Command.sudorule_add_allow_command("timechange", sudocmdgroup="timecmds")- Denying sudo commands
In this example, you deny the
rmcommand to be run as sudo.api.Command.sudocmd_add("/usr/bin/rm") api.Command.sudorule_add_deny_command("timechange", sudocmd="/usr/bin/rm")- Adding a user to a sudo rule
In this example, you add the user
bobto thetimechangesudo rule.api.Command.sudorule_add_user("timechange", user="bob")- Making a sudo rule available only for a specified host
In this example, you restrict the
timechangerule to be available only for theclient.ipa.testhost.api.Command.sudorule_add_host("timechange", host="client.ipa.test")- Setting sudo rules to be run as a different user
By default, sudo rules are run as
root. In this example, you set thetimechangesudo rule to be run as thealiceuser instead.api.Command.sudorule_add_runasuser("timechange", user="alice")- Setting sudo rules to be run as a group
In this example, you set the
timechangesudo rule to be run as thesysadminsgroup.api.Command.sudorule_add_runasgroup("timechange", group="sysadmins")- Setting a sudo option for a sudo rule
In this example, you set a sudo option for the
timechangesudo rule.api.Command.sudorule_add_option("timechange", ipasudoopt="logfile='/var/log/timechange_log'")- Enabling a sudo rule
In this example, you enable the
timechangesudo rule.api.Command.sudorule_enable("timechange")- Disabling a sudo rule
In this example, you disable the
timechangesudo rule.api.Command.sudorule_disable("timechange")
4.5. Managing Host-based Access Control with IdM API commands
You can manage Host-based Access Control (HBAC) rules programmatically with the IdM API commands. Automating HBAC configuration helps you control which users can access specific services on designated hosts.
- Creating an HBAC rule
In this example, you create a base rule that will handle SSH service access.
api.Command.hbacrule_add("sshd_rule")- Adding a user to an HBAC rule
In this example, you add the user
johnto thesshd_ruleHBAC rule.api.Command.hbacrule_add_user("sshd_rule", user="john")- Adding a group to an HBAC rule
In this example, you add the group
developersto thesshd_ruleHBAC rule.api.Command.hbacrule_add_user("sshd_rule", group="developers")- Removing a user from an HBAC rule
In this example, you remove the user
johnfrom thesshd_ruleHBAC rule.api.Command.hbacrule_remove_user("sshd_rule", user="john")- Registering a new target HBAC service
You must register a target service before you can attach it to an HBAC rule. In this example, you register the
chronydservice.api.Command.hbacsvc_add("chronyd")- Attaching a registered service to an HBAC rule
In this example, you attach the
sshdservice to thesshd_ruleHBAC rule. This service is registered in IPA by default, so there is no need to register it usinghbacsvc_addbeforehand.api.Command.hbacrule_add_service("sshd_rule", hbacsvc="sshd")- Adding a host to an HBAC rule
In this example, you add
workstationshost group to thesshd_ruleHBAC rule.api.Command.hbacrule_add_host("sshd_rule", hostgroup="workstations")- Testing an HBAC rule
In this example, you use the
sshd_ruleHBAC rule against theworkstation.ipa.testhost. It targets the servicesshdthat comes from the userjohn.api.Command.hbactest(user="john", targethost="workstation.ipa.test", service="sshd", rules="sshd_rule")- Enabling an HBAC rule
In this example, you enable the
sshd_ruleHBAC rule.api.Command.hbacrule_enable("sshd_rule")- Disabling an HBAC rule
In this example, you disable the
sshd_ruleHBAC rule.api.Command.hbacrule_disable("sshd_rule")
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}